This may be required when you are providing some functionality which relies on iframe. For me, the reason was a feature which allowed the user to embed third party content or web-app by its URL on the extension’s page.

But wait… what about the Content-Security-Policy header?

Content-Security-Policy header also has frame-ancestors directive which can be used to control if a page can be loaded in an iframe or not.

frame-ancestors directive can specify a list of allowed sources which can load the page in an iframe or prevent this for all parent origins.

Now your origin page is whitelisted and can make use of iframe freely.

Security?

Simply bypassing the header by removing X-Frame-Options header can be enough for you. But if its bypassed, remember that the browser is vulnerable to attacks which make use of iframes like the famous click-jacking technique. There are many possibilities.

However, you can do this securely by making use of Content-Security-Policy (CSP) header. For instance, if you remove X-Frame-Options, make sure you add / modify CSP header with frame-ancestors directive to whitelist only your origin URL. So, it will not be open for everyone.